LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2007, 10:54 PM   #1
jimbo7
LQ Newbie
 
Registered: Jun 2006
Posts: 19

Rep: Reputation: 0
How secure is this IPTABLES setup?


I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough...
i really want to make my config as secure as possible, so any suggestions/comments are greatly appreciated

notes:
  • the script is run on my gateway machine
  • eth0 is my local (hopefully secure) network
  • wlan0 is my connection to the internet

Code:
#!/bin/sh
#
# Created by James Sullivan
# Last updated 13/07/07
#
#


PATH=/usr/sbin:/sbin:/bin:/usr/bin

# temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Delete/Flush old iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addr [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP

# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
iptables -A FORWARD -i wlan0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i wlan0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i wlan0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i wlan0 -s 10.0.0.0/8 -j DROP

# Block outgoing NetBios [OPTIONAL]
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

# Allow local loopback [NEEDED]
iptables -A INPUT -i lo -j ACCEPT

# Allow pings [OPTIONAL]
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


############ STATE STUFF ############
# Accept existing connections [NEEDED]
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################

# Allow inbound services [OPTIONAL - DNS NEEDED]
iptables -A INPUT -p tcp -i wlan0 --dport 44444 -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i eth0  --dport 53 -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0  --dport 53 -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0  --dport 137:139 -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0  --dport 445 -j ACCEPT #SAMBA


# Allow forwarding of essential services [NEEDED]
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS

# Don't forward from the outside to the inside [OPTIONAL]
iptables -A FORWARD -i wlan0 -o eth0 -j REJECT


# Masquerade [NEEDED]
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 07-14-2007, 01:24 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
That's pretty secure and unusually clear for a first time firewall.

You are offering a few services... be aware of the vulnerabilities of these services. This is where you will be attacked.

Note, you can use samba tools to further secure... samba.
http://troy.jdmz.net/samba/fw/
 
Old 07-14-2007, 04:33 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Here's a few things I would recommend to tighten it a bit:


Quote:
Originally Posted by jimbo7
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
Make these more specific, with interface names and packet states. Like:
Code:
iptables -A FORWARD -p tcp -i eth0 -o wlan0 --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -o wlan0 --dport 443 \
-m state --state NEW -j ACCEPT

Quote:
Originally Posted by jimbo7
# Don't forward from the outside to the inside [OPTIONAL]
iptables -A FORWARD -i wlan0 -o eth0 -j REJECT
Eliminate this rule.

You are much better-off letting the packets hit the DROP policy.


Quote:
Originally Posted by jimbo7
echo 1 > /proc/sys/net/ipv4/ip_forward
Add a line like this to the start of the script, but have it echo a zero instead of a one. This way, you know that any time the script is run, forwarding will be disabled until everything is set-up.


Quote:
Originally Posted by jimbo7
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
Sending OUTPUT packets to DROP without sending them to LOG first is a habit that should be avoided as much as possible. Generally speaking, it's important to know exactly when unusual packets are being generated by your box. It can sometimes mean the difference between (for example) knowing your Apache's been owned, and being clueless about it.
Code:
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j LOG \
--log-prefix "OUTPUT DROP: "
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP

iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j LOG \
--log-prefix "OUTPUT DROP: "
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

Last edited by win32sux; 07-14-2007 at 04:40 AM.
 
Old 07-16-2007, 02:24 AM   #4
jimbo7
LQ Newbie
 
Registered: Jun 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks for your help guys.

I have made the suggested changes, and fixed a couple of things i got wrong (mixed up eth0 and wlan0 in my netbios blocks)

here is the latest version :

Code:
#!/bin/sh
#
# Created by James Sullivan
# Last updated 16/07/07
#
#


PATH=/usr/sbin:/sbin:/bin:/usr/bin

# temporarily disable routing
echo 0 > /proc/sys/net/ipv4/ip_forward

# temporarily block all traffic
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Delete/Flush old iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addresses [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP

# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 172.16.0.0/12  -j DROP
iptables -A INPUT   -i wlan0 -s 10.0.0.0/8     -j DROP
iptables -A INPUT   -i wlan0 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i wlan0 -s 172.16.0.0/12  -j DROP
iptables -A FORWARD -i wlan0 -s 10.0.0.0/8     -j DROP
iptables -A FORWARD -i wlan0 -s 192.168.0.0/24 -j DROP

# Block outgoing NetBios [OPTIONAL]
iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j DROP
iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j DROP
iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j DROP

# Allow local loopback [NEEDED]
iptables -A INPUT -i lo -j ACCEPT

# Allow pings [OPTIONAL]
iptables -A INPUT   -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


############ STATE STUFF ############
# Accept existing connections [NEEDED]
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################

# Externally accessable inbound services [OPTIONAL]
iptables -A INPUT -p tcp --dport 44444 -m state --state NEW -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent

# Internal inbound services [OPTIONAL - DNS NEEDED]
iptables -A INPUT -p udp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0 --dport 445     -m state --state NEW -j ACCEPT #SAMBA

# Allow forwarding of essential services [NEEDED]
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS

# Masquerade [NEEDED]
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 07-16-2007, 01:59 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Looks good. Although, you're still forwarding port 80 and 443 packets regardless of the interface they hit or what state they have. I haven't run a test, but I would suspect this opens you up to certain types of mischief at the very least. Better safe than sorry, no?
 
Old 07-19-2007, 08:32 AM   #6
jimbo7
LQ Newbie
 
Registered: Jun 2006
Posts: 19

Original Poster
Rep: Reputation: 0
whoops forgot those ones, updated:

Code:
#!/bin/sh
#
# Created by James Sullivan
# Last updated 16/07/07
#
# wlan0 > interface connected to internet (via router / etc)
# eth0  > interface connected to local protected network


PATH=/usr/sbin:/sbin:/bin:/usr/bin

# temporarily disable routing and block all traffic
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

# Delete/Flush old iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Set default policies
iptables -P OUTPUT  ACCEPT
iptables -P INPUT   DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addresses [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 127.0.0.1 -j DROP
iptables -A INPUT   -i wlan0 -d 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP

# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
iptables -A INPUT   -i wlan0 -s 172.16.0.0/12  -j DROP
iptables -A INPUT   -i wlan0 -s 10.0.0.0/8     -j DROP
iptables -A INPUT   -i wlan0 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i wlan0 -s 172.16.0.0/12  -j DROP
iptables -A FORWARD -i wlan0 -s 10.0.0.0/8     -j DROP
iptables -A FORWARD -i wlan0 -s 192.168.0.0/24 -j DROP

# Block outgoing NetBios [OPTIONAL]
iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
iptables -A FORWARD -p tcp --sport 137:139 -o wlan0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "FORWARD DROP: "
iptables -A FORWARD -p udp --sport 137:139 -o wlan0 -j DROP
iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT  -p tcp --sport 137:139 -o wlan0 -j DROP
iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j LOG --log-prefix "OUTPUT DROP: "
iptables -A OUTPUT  -p udp --sport 137:139 -o wlan0 -j DROP

# Allow local loopback [NEEDED]
iptables -A INPUT -i lo -j ACCEPT

# Allow pings [OPTIONAL]
iptables -A INPUT   -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


############ STATE STUFF ############
# Accept existing connections [NEEDED]
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################

# Externally accessable inbound services [OPTIONAL]
iptables -A INPUT -p tcp --dport 44444 -m state --state NEW -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -m state --state NEW -j ACCEPT #Bittorrent

# Internal inbound services [OPTIONAL - DNS NEEDED]
iptables -A INPUT -p udp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0 --dport 445     -m state --state NEW -j ACCEPT #SAMBA

# Allow forwarding of essential services [NEEDED]
iptables -A FORWARD -p tcp -i eth0 -o wlan0  -m state --state NEW --dport 80  -j ACCEPT #WEB
iptables -A FORWARD -p tcp -i eth0 -o wlan0  -m state --state NEW --dport 443 -j ACCEPT #HTTPS

# Masquerade [NEEDED]
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is this secure php setup for virtualhosting? Eggert Linux - Security 1 02-14-2006 08:21 AM
Is this setup reasonably secure? The_JinJ Linux - Newbie 3 10-04-2005 08:34 PM
setup a secure proxy darkleaf Linux - Security 2 07-13-2005 07:58 PM
Trying to setup a secure webserver pyrombca Linux - Software 0 09-02-2003 05:04 PM
Is this IPTables script secure enough... X11 Linux - Security 24 09-09-2002 06:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration